James Rundle
The Biden administration released its long-awaited national cybersecurity strategy Thursday, setting out in broad terms how the U.S. government should approach cybercrime, its own defenses, and the private sector’s responsibility for security over the next several years.
The White House says an updated strategy, cohesive across federal agencies, is necessary due to the growing importance of digital services, spurred in part by stay-at-home orders during the coronavirus pandemic. At the same time, the White House says, malicious cyber activity has evolved from a criminal nuisance to a threat to national security, conducted by criminal gangs and nation-states.
“I think it’s an impressive piece of work that says some things that have needed to be said for quite a while about critical infrastructure and software security,” said Jeff Greene, the senior director for cybersecurity programs at The Aspen Group, a nonprofit policy and research organization. Until July, Mr. Greene was the chief for cyber response and policy at the National Security Council.
What is the National Cybersecurity Strategy?
Overseen in part by former National Cyber Director Chris Inglis, who retired in February, the 35-page document contains recommendations on a broad swath of cyber policy, from international collaboration on tackling cybercrime to securing internet-connected devices.
The new strategy replaces a document issued in 2018 by the Trump administration.
Some elements of the strategy, including that the federal government should assess the need for a government backstop for cyber insurers, are speculative. Others specify direct action, such as plans for regulations in critical-infrastructure sectors such as healthcare, financial services and water that define minimum cybersecurity standards.
“The president’s strategy fundamentally reimagines America’s cyber-social contract,” said Kemba Walden, the acting national cyber director, during a call with reporters Wednesday. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it,” she said.
What does the strategy cover?
This strategy goes further than those issued by previous administrations and takes a more prescriptive approach to cyber rules.
The White House outlined five key areas for action: Improving cyber defenses at critical infrastructure operators
Disrupting hackers and criminal gangs
Enhancing the security of technology sold to companies
Funding public investments to support cyber upgrades
Working internationally to combat cybercrime
Whereas the federal government has tended to focus on specific sectors in recent years, such as oil and gas pipelines in the wake of the Colonial Pipeline Co. ransomware attack in May 2021, or federal agencies after the attack on SolarWinds Corp. disclosed in December 2020, this document has a much broader scope.
Anne Neuberger, deputy national security adviser for cyber and emerging technology.PHOTO: LEIGH VOGEL — POOL VIA CNP/ZUMA PRESS
“We recognize that we need to move from a public-private partnership, information-sharing approach to implementing minimum mandates,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology, on the same call as Ms. Walden.
“Information-sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure,” Ms. Neuberger said.
Who does it affect?
While the strategy calls for federal agencies to improve their defenses through the implementation of more advanced security, there are also provisions and suggestions for grants for state and local governments and private companies, particularly critical infrastructure operators and technology suppliers.
A key thread throughout the document is the need for greater responsibility from the private sector—particularly larger and better-resourced companies—to ensure data and systems are protected from hackers. The strategy calls for greater liability for companies that fail to build minimum security standards into their products.
Companies with more resources should be asked to do more, Ms. Walden said. “Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses and local governments to shoulder a significant burden for defending us all,” she said. “This isn’t just unfair, it’s ineffective.”
The strategy calls for laws to govern how personal data is collected and protected, and says that national guidelines should be developed by bodies such as the National Institute of Standards and Technology, an arm of the Commerce Department.
What are the next steps?
The Office of the National Cyber Director said it would work with the Office of Management and Budget to publish a plan for putting the strategy into effect and report annually to the president and lawmakers on its progress. Both agencies will issue annual guidance to federal departments and agencies on cybersecurity budgets and work with Congress for additional funding requirements, such as grants. Areas that require changes to existing policies will be led by the NSC, the strategy says.
The implementation plan has been developed in tandem with the strategy, a senior administration official said Wednesday evening. Some elements have been put into motion already.
“We anticipate that we will have a public snapshot of the implementation plan out in the coming months,” the official said.
No comments:
Post a Comment